ID OSVDB:29926 Type osvdb Reporter Garvin Hicking() Modified 2006-10-18T03:49:07
Description
Vulnerability Description
Drupal contains a flaw that may allow a malicious user to forge HTTP requests to another Drupal website with the privileges of the currently logged on user. It is possible that this cross-site request forgery flaw may allow the posting of PHP code, the adding of users or changing of passwords on the affected website.
Solution Description
Upgrade to version 4.6.10 or 4.7.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Short Description
Drupal contains a flaw that may allow a malicious user to forge HTTP requests to another Drupal website with the privileges of the currently logged on user. It is possible that this cross-site request forgery flaw may allow the posting of PHP code, the adding of users or changing of passwords on the affected website.
{"enchantments": {"score": {"value": 5.8, "vector": "NONE", "modified": "2017-04-28T13:20:26", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-5476"]}], "modified": "2017-04-28T13:20:26", "rev": 2}, "vulnersScore": 5.8}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Drupal", "operator": "eq", "version": "4.7.0"}, {"name": "Drupal", "operator": "eq", "version": "4.6.5"}, {"name": "Drupal", "operator": "eq", "version": "4.6.2"}, {"name": "Drupal", "operator": "eq", "version": "4.6.7"}, {"name": "Drupal", "operator": "eq", "version": "4.6.6"}, {"name": "Drupal", "operator": "eq", "version": "4.7.2"}, {"name": "Drupal", "operator": "eq", "version": "4.6.1"}, {"name": "Drupal", "operator": "eq", "version": "4.6.3"}, {"name": "Drupal", "operator": "eq", "version": "4.7.3"}, {"name": "Drupal", "operator": "eq", "version": "4.6.9"}, {"name": "Drupal", "operator": "eq", "version": "4.6.4"}, {"name": "Drupal", "operator": "eq", "version": "4.7.1"}, {"name": "Drupal", "operator": "eq", "version": "4.6.0"}, {"name": "Drupal", "operator": "eq", "version": "4.6.8"}], "references": [], "href": "https://vulners.com/osvdb/OSVDB:29926", "id": "OSVDB:29926", "title": "Drupal Unspecified CSRF", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "lastseen": "2017-04-28T13:20:26", "edition": 1, "reporter": "Garvin Hicking()", "description": "## Vulnerability Description\nDrupal contains a flaw that may allow a malicious user to forge HTTP requests to another Drupal website with the privileges of the currently logged on user. It is possible that this cross-site request forgery flaw may allow the posting of PHP code, the adding of users or changing of passwords on the affected website.\n## Solution Description\nUpgrade to version 4.6.10 or 4.7.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nDrupal contains a flaw that may allow a malicious user to forge HTTP requests to another Drupal website with the privileges of the currently logged on user. It is possible that this cross-site request forgery flaw may allow the posting of PHP code, the adding of users or changing of passwords on the affected website.\n## References:\nVendor URL: drupal.org\n[Vendor Specific Advisory URL](http://drupal.org/node/88828)\n[Secunia Advisory ID:22486](https://secuniaresearch.flexerasoftware.com/advisories/22486/)\n[Related OSVDB ID: 29927](https://vulners.com/osvdb/OSVDB:29927)\n[Related OSVDB ID: 29922](https://vulners.com/osvdb/OSVDB:29922)\nOther Advisory URL: http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.025-drupal.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-10/0397.html\nKeyword: DRUPAL-SA-2006-025\nISS X-Force ID: 29679\nFrSIRT Advisory: ADV-2006-4120\n[CVE-2006-5476](https://vulners.com/cve/CVE-2006-5476)\n", "modified": "2006-10-18T03:49:07", "viewCount": 0, "published": "2006-10-18T03:49:07", "cvelist": ["CVE-2006-5476"]}
